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Abstract. We consider the following question: given a group-homomorphic 
public-key encryption E, a ciphertext c = E{x,pk) hiding a value x using 
a key pk, and a ’’suitable” description of a function /, can we evaluate 
E(f(x),pk) without decrypting c? We call this an oblivious lookup table 
and show the existence of such a primitive. To this end, we describe a 
concrete construction, discuss its security and relations to other cryp¬ 
tographic primitives, and point out directions of future investigations 
towards generalizations. 
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1 Introduction and Concept 

This short note is about the following setting: let / : X —> V be a 
mapping between finite sets. Assume that the sizes of X and Y are 
sufficiently small to permit a specification of / via a lookup-table. Let 
E(m, k) denote a group-homomorphic encryption of a message m under 
a key k, where E can be symmetric or asymmetric. Let E be group- 
homomorphic in the sense that E(mi ■ m, 2 ,K ) = E(mi,K) ■ E(m 2 ,K), 
where • denotes the respective group operations within the plain- and 
ciphertext space. 

In this setting, we consider the following question: given E and an en¬ 
crypted value c = E{x, k), can we compute E(f( x),k) without decrypt¬ 
ing cl We call any such implementation of / an oblivious lookup table, 
as it shall effectively hide the evaluation of /, or equivalently, evaluate / 
only on ciphertexts by virtue of conventional homomorphic encryption. 
Becoming more specifically, let p = 2q+l be a safe prime (i.e., q is a prime 
too), and let G C Zip denote the g-order subgroup generated by some 
element g £ Z p . We first describe the lookup technique in plain form, 
and subsequently wrap the encryption around the necessary operations. 
Let X = {xi ,. .., Xn} C G be an enumeration of (distinct) values to be 
looked up. To each such element Xi, we associate a vector v % = (ar?)fc=o = 
(1, Xi, xi,..., a;" -1 ). Notice that Xi ^ Xj whenever i ^ j implies that the 
vectors vi,... ,v n are all linearly independent, as they essentially form 
the rows of a Vandermonde-matrix V. Without loss of generality, let us 
assume |A'| = n = |Y|, say, by allowing multiple occurrences of the same 
element in Y in case that / is not injective. Under this convention, let 


the (not necessarily pairwise distinct) elements of Y be enumerated as 
Y = {yi,...,y„}. 

We will construct the value of f(xi ) by a scalar product of Vi with a 
vector-representation of the lookup table. That is, the lookup table itself 
is a vector t with the property that vf ■ i = f(xi ) for all i = 1, 2,..., n. 
To this end, let us choose an arbitrary but invertible matrix U G G" xn 
with columns ui,,.. ,u„. Define the lookup table as £ := U ■ a for some 
(yet to be determined) vector a. = (on,... ,a„). Now, let us look at the 
scalar product of v; with U a to yield f{xi) G This results in a linear 
equation ai(vf■ui)+ct 2 {vj ■ 112 ) + • • ■+a n (vf ■u „) = f(xi). Establishing 
this condition for all * — 1,2,..., n, we end up observing that, to find a, 
we need to solve the linear system (V ■ U) ■ a = (f(x 1 ),..., f{x n )) T for 
a. The coefficient matrix V ■ U is invertible by construction, and hence 
we can easily lookup values f{xi) by computing f(xt ) = vf ■ £, taking 
0(n) multiplications and additions. 

Now, let us see if we can equivalently do all the necessary steps when 
the pre-image is encrypted. For that matter, we take an element-wise 
commitment to the Vi from above to represent Xi. That is, the value Xi 
now comes committed and encrypted as E(xi,n) := (E(l,n), E(g Xi ,K), 

2 n — 1 

E(g Xi , k),. .., E(g x * , k)) = (c 1 ,..., c„ ), so that the matrix of expo¬ 
nents remains V = with Vij = x { -1 and as such invertible. 

Since the order of G is a prime, we can - in a setup phase where the 
exponents are known - straightforwardly work out the values a. and the 
lookup table L = (t\,... ,£ n ), which is supplied in plain (not encrypted) 
form to the instance that seeks to evaluate /. 

To evaluate /, let the encrypted input value Xi be given as E(xi,n). 
Then, we can compute the lookup value E(f(xi),K ) as 


k =1 k=1 


Y[c[ k = Y[E{g x * = Y[E{g Vik ,K) aiUkl+a2Uk2+ - anUkn 

k= 1 k= 1 

n 

_ £(g a l v ik' u -kl+ a 2Vik'Uk2+ - + a n.Vil c Ukn ^ ft'j ( 1 ) 


The last equality is instantly obtained by writing out the exponents for 
k = 1, 2,..., n and rearranging terms properly when summing up. 

A final remark is judicious here: the formula yields only a single value 
based on an input vector. To properly implement the lookup to be repeat- 
able, i.e., to model iterations like /(/(• • • f(x) • • •)) or generally functions 
/ : X —>- X, we need to look up all the elements of the output vector via 
separate tables. So, the overall lookup table is no longer a n-dimensional 
vector, but an (n x n)-matrix L = (£ 1 ,... ,tn)- The j-th such lookup 
table £j must then be designed to return whenever the input value 

x is represented by a sequence 1, x, x 2 ,..., x™ _1 in the exponents. That 
is, the mapping f(x) = y, acting on x being represented by encrypted 
values 1 ,g x ,g x ,..., g x , requires n lookups that successively yield 
1 ,9 v ,9 y , • • •, g v , each of which by (1) requires 0(n) exponentiations 
and multiplications. So, the total cost of an oblivious lookup comes to 
0(n 2 ) exponentiations (subsuming multiplications as the cheaper oper¬ 
ation here). 



Considering security, each lookup table is indeed available in plaintext, 
but since it is independent of a particular input and the input and output 
values remain encrypted at all times, knowledge of L cannot release any 
information about the secret x being transferred into the secret result 
f(x). Probabilistic encryptions like ElGamal an offer the additional ap¬ 
peal of enforced re-randomization of the resulting ciphertexts. That is, 
if a distrusted third party does several lookups, it nevertheless cannot 
recognize any results as being identical to previous ones. 

2 Related Work 

This work closely relates to Private Function Evaluation (PFE), which 
provides a system where the function-to-be-evaluated f and the inputs 
are private and the evaluator learns nothing about either aside from the 
(encrypted) results of the evaluation of the function on the inputs. This 
can be realized using Secure Function Evaluation (SFE) over a universal 
circuit ([4, 7]), to which / has to be converted first. Another approach is 
to use a (non-universal) circuit representation of / and employ a Fully 
Homomorphic Encryption (FHE) scheme [2,6]. However, all mentioned 
approaches carry complexities that are too high for practical applica¬ 
tions. Conceptually closest to our ideas seem to be [3] and [5], both 
based on singly homomorphic encryption. The former realises PFE in a 
strict two-party setting with one party providing the function and the 
other providing the inputs. Evaluation is done through a common virtual 
machine. The latter is based on a framework that splits the task into Cir¬ 
cuit Topology Hiding (CTH) and Private Gate Evaluation (PGE) which 
together enable PFE with linear complexity in all standard settings. 
However, both PFE protocols require an interactive setting while we are 
aiming for the non-interactive setting. The security implications tied to 
our simple scheme when being lifted to two-operand functions (if that it 
possible at all) are, however, far from clear and probably intricate (cf. 
[1]) and will be discussed along the research sketched in this abstract. 

3 Open Issues 

A yet open issue is a proper formalization of security for oblivious lookup 
tables. Intuitively, the attacker should be unable to learn anything mean¬ 
ingful from the lookup table as such, since this is nothing but a bunch 
of ciphertexts and hence indistinguishable from self-made cryptograms, 
provided that the encryption is semantically secure. However, a full- 
fledged formal argument and definition of security is subject of future 
considerations. Also, the idea does not obviously generalize to functions 
of multiple inputs, which poses another interesting question for future 
research. 
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